The path where the SELinux policy modules are built is normally
/var/lib/selinux. In our case we want to have those policies to be
installed somewhere under /usr. So we have a setup where
/var/lib/selinux is a symlink to /usr/lib/selinux/policy. The
/var/lib/selinux directory is normally created by
sys-apps/policycoreutils directory and we don't want to change it in
order to pursue the goal of putting the package back to
portage-stable.
On the other hand, the override of modules directory location can't
happen in the coreos-base/misc-files package, because
sys-apps/policycoreutils needs that directory to be already set up in
the package post installation time.
The override of the SELinux policy modules directory needs to be done
in the bashrc hook unfortunately. This will come in the follow-up
commit.
So the only thing left is to set up tmpfiles configuration file to
recreate the /var/lib/selinux symlink, since it can be removed when
wiping the filesystem.
Prepare the changes for upstreaming:
- Hide python dependencies behind the python USE flag.
- Allow using original sources, without Gentoo modifications with the
vanilla USE flag.
- This also hides app-admin/setools dependency behind this USE
flag. I'm not sure if anything in policycoreutils requires
anything from that package - I assumed that Gentoo-provided rlpkg
maybe does.
- Keep using /var/lib/selinux as a SELinux policy directory. We will
use INSTALL_MASK to skip installation of the directory and will add
a tmpfiles config file to coreos-base/misc-files instead.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
Prepare the ebuild to be in an upstreamable state:
- hide python dependencies behind the IUSE flag
- move the semanage.conf additions to a patch
- that way, we can add a user patch that changes compression setting
that was added by Gentoo
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
The bundled gnu-efi build is implemented in a buggy way that can break when
built in parallel. We've hit this in the nightly sdk build. Add a patch for it.
The patch has been posted upstream at https://github.com/rhboot/shim/pull/643.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Last nightly SDK failed to build due to a shim error, go back to the previous
build.
This reverts commit 735b2698bac434f9827b96b132eebabb8277bf31.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
We have an existing qemu_uefi_secure format definition, but it is
necessary to update it so that it actually works. Qemu needs to be
passed the correct flags to enable SMM, we need to switch to the Q35
machine, and we need to copy over the secboot variant of the OVMF
firmware.
This is just the contents of the section, but the section
itself is written by grub-mkimage. sbat.csv needs to be passed
with --sbat.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
